wolf SSL
wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
src/ocsp.c@17:a5f916481144, 2020-06-05 (annotated)
- Committer:
- wolfSSL
- Date:
- Fri Jun 05 00:11:07 2020 +0000
- Revision:
- 17:a5f916481144
- Parent:
- 16:8e0d178b1d1e
wolfSSL 4.4.0
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| wolfSSL | 15:117db924cf7c | 1 | /* ocsp.c |
| wolfSSL | 15:117db924cf7c | 2 | * |
| wolfSSL | 16:8e0d178b1d1e | 3 | * Copyright (C) 2006-2020 wolfSSL Inc. |
| wolfSSL | 15:117db924cf7c | 4 | * |
| wolfSSL | 15:117db924cf7c | 5 | * This file is part of wolfSSL. |
| wolfSSL | 15:117db924cf7c | 6 | * |
| wolfSSL | 15:117db924cf7c | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
| wolfSSL | 15:117db924cf7c | 8 | * it under the terms of the GNU General Public License as published by |
| wolfSSL | 15:117db924cf7c | 9 | * the Free Software Foundation; either version 2 of the License, or |
| wolfSSL | 15:117db924cf7c | 10 | * (at your option) any later version. |
| wolfSSL | 15:117db924cf7c | 11 | * |
| wolfSSL | 15:117db924cf7c | 12 | * wolfSSL is distributed in the hope that it will be useful, |
| wolfSSL | 15:117db924cf7c | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| wolfSSL | 15:117db924cf7c | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| wolfSSL | 15:117db924cf7c | 15 | * GNU General Public License for more details. |
| wolfSSL | 15:117db924cf7c | 16 | * |
| wolfSSL | 15:117db924cf7c | 17 | * You should have received a copy of the GNU General Public License |
| wolfSSL | 15:117db924cf7c | 18 | * along with this program; if not, write to the Free Software |
| wolfSSL | 15:117db924cf7c | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
| wolfSSL | 15:117db924cf7c | 20 | */ |
| wolfSSL | 15:117db924cf7c | 21 | |
| wolfSSL | 15:117db924cf7c | 22 | |
| wolfSSL | 15:117db924cf7c | 23 | /* Name change compatibility layer no longer needs to be included here */ |
| wolfSSL | 15:117db924cf7c | 24 | |
| wolfSSL | 15:117db924cf7c | 25 | #ifdef HAVE_CONFIG_H |
| wolfSSL | 15:117db924cf7c | 26 | #include <config.h> |
| wolfSSL | 15:117db924cf7c | 27 | #endif |
| wolfSSL | 15:117db924cf7c | 28 | |
| wolfSSL | 15:117db924cf7c | 29 | #include <wolfssl/wolfcrypt/settings.h> |
| wolfSSL | 15:117db924cf7c | 30 | |
| wolfSSL | 15:117db924cf7c | 31 | #ifndef WOLFCRYPT_ONLY |
| wolfSSL | 15:117db924cf7c | 32 | #ifdef HAVE_OCSP |
| wolfSSL | 15:117db924cf7c | 33 | |
| wolfSSL | 15:117db924cf7c | 34 | #include <wolfssl/error-ssl.h> |
| wolfSSL | 15:117db924cf7c | 35 | #include <wolfssl/ocsp.h> |
| wolfSSL | 15:117db924cf7c | 36 | #include <wolfssl/internal.h> |
| wolfSSL | 15:117db924cf7c | 37 | |
| wolfSSL | 15:117db924cf7c | 38 | #ifdef NO_INLINE |
| wolfSSL | 15:117db924cf7c | 39 | #include <wolfssl/wolfcrypt/misc.h> |
| wolfSSL | 15:117db924cf7c | 40 | #else |
| wolfSSL | 15:117db924cf7c | 41 | #define WOLFSSL_MISC_INCLUDED |
| wolfSSL | 15:117db924cf7c | 42 | #include <wolfcrypt/src/misc.c> |
| wolfSSL | 15:117db924cf7c | 43 | #endif |
| wolfSSL | 15:117db924cf7c | 44 | |
| wolfSSL | 15:117db924cf7c | 45 | |
| wolfSSL | 15:117db924cf7c | 46 | int InitOCSP(WOLFSSL_OCSP* ocsp, WOLFSSL_CERT_MANAGER* cm) |
| wolfSSL | 15:117db924cf7c | 47 | { |
| wolfSSL | 15:117db924cf7c | 48 | WOLFSSL_ENTER("InitOCSP"); |
| wolfSSL | 15:117db924cf7c | 49 | |
| wolfSSL | 15:117db924cf7c | 50 | ForceZero(ocsp, sizeof(WOLFSSL_OCSP)); |
| wolfSSL | 15:117db924cf7c | 51 | |
| wolfSSL | 15:117db924cf7c | 52 | if (wc_InitMutex(&ocsp->ocspLock) != 0) |
| wolfSSL | 15:117db924cf7c | 53 | return BAD_MUTEX_E; |
| wolfSSL | 15:117db924cf7c | 54 | |
| wolfSSL | 15:117db924cf7c | 55 | ocsp->cm = cm; |
| wolfSSL | 15:117db924cf7c | 56 | |
| wolfSSL | 15:117db924cf7c | 57 | return 0; |
| wolfSSL | 15:117db924cf7c | 58 | } |
| wolfSSL | 15:117db924cf7c | 59 | |
| wolfSSL | 15:117db924cf7c | 60 | |
| wolfSSL | 15:117db924cf7c | 61 | static int InitOcspEntry(OcspEntry* entry, OcspRequest* request) |
| wolfSSL | 15:117db924cf7c | 62 | { |
| wolfSSL | 15:117db924cf7c | 63 | WOLFSSL_ENTER("InitOcspEntry"); |
| wolfSSL | 15:117db924cf7c | 64 | |
| wolfSSL | 15:117db924cf7c | 65 | ForceZero(entry, sizeof(OcspEntry)); |
| wolfSSL | 15:117db924cf7c | 66 | |
| wolfSSL | 15:117db924cf7c | 67 | XMEMCPY(entry->issuerHash, request->issuerHash, OCSP_DIGEST_SIZE); |
| wolfSSL | 15:117db924cf7c | 68 | XMEMCPY(entry->issuerKeyHash, request->issuerKeyHash, OCSP_DIGEST_SIZE); |
| wolfSSL | 15:117db924cf7c | 69 | |
| wolfSSL | 15:117db924cf7c | 70 | return 0; |
| wolfSSL | 15:117db924cf7c | 71 | } |
| wolfSSL | 15:117db924cf7c | 72 | |
| wolfSSL | 15:117db924cf7c | 73 | |
| wolfSSL | 15:117db924cf7c | 74 | static void FreeOcspEntry(OcspEntry* entry, void* heap) |
| wolfSSL | 15:117db924cf7c | 75 | { |
| wolfSSL | 15:117db924cf7c | 76 | CertStatus *status, *next; |
| wolfSSL | 15:117db924cf7c | 77 | |
| wolfSSL | 15:117db924cf7c | 78 | WOLFSSL_ENTER("FreeOcspEntry"); |
| wolfSSL | 15:117db924cf7c | 79 | |
| wolfSSL | 15:117db924cf7c | 80 | for (status = entry->status; status; status = next) { |
| wolfSSL | 15:117db924cf7c | 81 | next = status->next; |
| wolfSSL | 15:117db924cf7c | 82 | |
| wolfSSL | 15:117db924cf7c | 83 | if (status->rawOcspResponse) |
| wolfSSL | 15:117db924cf7c | 84 | XFREE(status->rawOcspResponse, heap, DYNAMIC_TYPE_OCSP_STATUS); |
| wolfSSL | 15:117db924cf7c | 85 | |
| wolfSSL | 15:117db924cf7c | 86 | XFREE(status, heap, DYNAMIC_TYPE_OCSP_STATUS); |
| wolfSSL | 15:117db924cf7c | 87 | } |
| wolfSSL | 15:117db924cf7c | 88 | |
| wolfSSL | 15:117db924cf7c | 89 | (void)heap; |
| wolfSSL | 15:117db924cf7c | 90 | } |
| wolfSSL | 15:117db924cf7c | 91 | |
| wolfSSL | 15:117db924cf7c | 92 | |
| wolfSSL | 15:117db924cf7c | 93 | void FreeOCSP(WOLFSSL_OCSP* ocsp, int dynamic) |
| wolfSSL | 15:117db924cf7c | 94 | { |
| wolfSSL | 15:117db924cf7c | 95 | OcspEntry *entry, *next; |
| wolfSSL | 15:117db924cf7c | 96 | |
| wolfSSL | 15:117db924cf7c | 97 | WOLFSSL_ENTER("FreeOCSP"); |
| wolfSSL | 15:117db924cf7c | 98 | |
| wolfSSL | 15:117db924cf7c | 99 | for (entry = ocsp->ocspList; entry; entry = next) { |
| wolfSSL | 15:117db924cf7c | 100 | next = entry->next; |
| wolfSSL | 15:117db924cf7c | 101 | FreeOcspEntry(entry, ocsp->cm->heap); |
| wolfSSL | 15:117db924cf7c | 102 | XFREE(entry, ocsp->cm->heap, DYNAMIC_TYPE_OCSP_ENTRY); |
| wolfSSL | 15:117db924cf7c | 103 | } |
| wolfSSL | 15:117db924cf7c | 104 | |
| wolfSSL | 15:117db924cf7c | 105 | wc_FreeMutex(&ocsp->ocspLock); |
| wolfSSL | 15:117db924cf7c | 106 | |
| wolfSSL | 15:117db924cf7c | 107 | if (dynamic) |
| wolfSSL | 15:117db924cf7c | 108 | XFREE(ocsp, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); |
| wolfSSL | 15:117db924cf7c | 109 | |
| wolfSSL | 15:117db924cf7c | 110 | } |
| wolfSSL | 15:117db924cf7c | 111 | |
| wolfSSL | 15:117db924cf7c | 112 | |
| wolfSSL | 15:117db924cf7c | 113 | static int xstat2err(int st) |
| wolfSSL | 15:117db924cf7c | 114 | { |
| wolfSSL | 15:117db924cf7c | 115 | switch (st) { |
| wolfSSL | 15:117db924cf7c | 116 | case CERT_GOOD: |
| wolfSSL | 15:117db924cf7c | 117 | return 0; |
| wolfSSL | 15:117db924cf7c | 118 | case CERT_REVOKED: |
| wolfSSL | 15:117db924cf7c | 119 | return OCSP_CERT_REVOKED; |
| wolfSSL | 15:117db924cf7c | 120 | default: |
| wolfSSL | 15:117db924cf7c | 121 | return OCSP_CERT_UNKNOWN; |
| wolfSSL | 15:117db924cf7c | 122 | } |
| wolfSSL | 15:117db924cf7c | 123 | } |
| wolfSSL | 15:117db924cf7c | 124 | |
| wolfSSL | 15:117db924cf7c | 125 | int CheckCertOCSP_ex(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer, WOLFSSL* ssl) |
| wolfSSL | 15:117db924cf7c | 126 | { |
| wolfSSL | 15:117db924cf7c | 127 | int ret = OCSP_LOOKUP_FAIL; |
| wolfSSL | 15:117db924cf7c | 128 | |
| wolfSSL | 15:117db924cf7c | 129 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 15:117db924cf7c | 130 | OcspRequest* ocspRequest; |
| wolfSSL | 15:117db924cf7c | 131 | #else |
| wolfSSL | 15:117db924cf7c | 132 | OcspRequest ocspRequest[1]; |
| wolfSSL | 15:117db924cf7c | 133 | #endif |
| wolfSSL | 15:117db924cf7c | 134 | |
| wolfSSL | 15:117db924cf7c | 135 | WOLFSSL_ENTER("CheckCertOCSP"); |
| wolfSSL | 15:117db924cf7c | 136 | |
| wolfSSL | 15:117db924cf7c | 137 | |
| wolfSSL | 15:117db924cf7c | 138 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 15:117db924cf7c | 139 | ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, |
| wolfSSL | 15:117db924cf7c | 140 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 141 | if (ocspRequest == NULL) { |
| wolfSSL | 15:117db924cf7c | 142 | WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); |
| wolfSSL | 15:117db924cf7c | 143 | return MEMORY_E; |
| wolfSSL | 15:117db924cf7c | 144 | } |
| wolfSSL | 15:117db924cf7c | 145 | #endif |
| wolfSSL | 15:117db924cf7c | 146 | |
| wolfSSL | 15:117db924cf7c | 147 | if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce, |
| wolfSSL | 15:117db924cf7c | 148 | ocsp->cm->heap) == 0) { |
| wolfSSL | 15:117db924cf7c | 149 | ocspRequest->ssl = ssl; |
| wolfSSL | 15:117db924cf7c | 150 | ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer); |
| wolfSSL | 15:117db924cf7c | 151 | |
| wolfSSL | 15:117db924cf7c | 152 | FreeOcspRequest(ocspRequest); |
| wolfSSL | 15:117db924cf7c | 153 | } |
| wolfSSL | 15:117db924cf7c | 154 | |
| wolfSSL | 15:117db924cf7c | 155 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 15:117db924cf7c | 156 | XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 157 | #endif |
| wolfSSL | 15:117db924cf7c | 158 | |
| wolfSSL | 15:117db924cf7c | 159 | WOLFSSL_LEAVE("CheckCertOCSP", ret); |
| wolfSSL | 15:117db924cf7c | 160 | return ret; |
| wolfSSL | 15:117db924cf7c | 161 | } |
| wolfSSL | 15:117db924cf7c | 162 | int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer) |
| wolfSSL | 15:117db924cf7c | 163 | { |
| wolfSSL | 15:117db924cf7c | 164 | return CheckCertOCSP_ex(ocsp, cert, responseBuffer, NULL); |
| wolfSSL | 15:117db924cf7c | 165 | } |
| wolfSSL | 15:117db924cf7c | 166 | |
| wolfSSL | 15:117db924cf7c | 167 | static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request, |
| wolfSSL | 15:117db924cf7c | 168 | OcspEntry** entry) |
| wolfSSL | 15:117db924cf7c | 169 | { |
| wolfSSL | 15:117db924cf7c | 170 | WOLFSSL_ENTER("GetOcspEntry"); |
| wolfSSL | 15:117db924cf7c | 171 | |
| wolfSSL | 15:117db924cf7c | 172 | *entry = NULL; |
| wolfSSL | 15:117db924cf7c | 173 | |
| wolfSSL | 15:117db924cf7c | 174 | if (wc_LockMutex(&ocsp->ocspLock) != 0) { |
| wolfSSL | 15:117db924cf7c | 175 | WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); |
| wolfSSL | 15:117db924cf7c | 176 | return BAD_MUTEX_E; |
| wolfSSL | 15:117db924cf7c | 177 | } |
| wolfSSL | 15:117db924cf7c | 178 | |
| wolfSSL | 15:117db924cf7c | 179 | for (*entry = ocsp->ocspList; *entry; *entry = (*entry)->next) |
| wolfSSL | 15:117db924cf7c | 180 | if (XMEMCMP((*entry)->issuerHash, request->issuerHash, |
| wolfSSL | 15:117db924cf7c | 181 | OCSP_DIGEST_SIZE) == 0 |
| wolfSSL | 15:117db924cf7c | 182 | && XMEMCMP((*entry)->issuerKeyHash, request->issuerKeyHash, |
| wolfSSL | 15:117db924cf7c | 183 | OCSP_DIGEST_SIZE) == 0) |
| wolfSSL | 15:117db924cf7c | 184 | break; |
| wolfSSL | 15:117db924cf7c | 185 | |
| wolfSSL | 15:117db924cf7c | 186 | if (*entry == NULL) { |
| wolfSSL | 15:117db924cf7c | 187 | *entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry), |
| wolfSSL | 15:117db924cf7c | 188 | ocsp->cm->heap, DYNAMIC_TYPE_OCSP_ENTRY); |
| wolfSSL | 15:117db924cf7c | 189 | if (*entry) { |
| wolfSSL | 15:117db924cf7c | 190 | InitOcspEntry(*entry, request); |
| wolfSSL | 15:117db924cf7c | 191 | (*entry)->next = ocsp->ocspList; |
| wolfSSL | 15:117db924cf7c | 192 | ocsp->ocspList = *entry; |
| wolfSSL | 15:117db924cf7c | 193 | } |
| wolfSSL | 15:117db924cf7c | 194 | } |
| wolfSSL | 15:117db924cf7c | 195 | |
| wolfSSL | 15:117db924cf7c | 196 | wc_UnLockMutex(&ocsp->ocspLock); |
| wolfSSL | 15:117db924cf7c | 197 | |
| wolfSSL | 15:117db924cf7c | 198 | return *entry ? 0 : MEMORY_ERROR; |
| wolfSSL | 15:117db924cf7c | 199 | } |
| wolfSSL | 15:117db924cf7c | 200 | |
| wolfSSL | 15:117db924cf7c | 201 | |
| wolfSSL | 16:8e0d178b1d1e | 202 | /* Mallocs responseBuffer->buffer and is up to caller to free on success |
| wolfSSL | 16:8e0d178b1d1e | 203 | * |
| wolfSSL | 16:8e0d178b1d1e | 204 | * Returns OCSP status |
| wolfSSL | 16:8e0d178b1d1e | 205 | */ |
| wolfSSL | 15:117db924cf7c | 206 | static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, |
| wolfSSL | 15:117db924cf7c | 207 | OcspEntry* entry, CertStatus** status, buffer* responseBuffer) |
| wolfSSL | 15:117db924cf7c | 208 | { |
| wolfSSL | 15:117db924cf7c | 209 | int ret = OCSP_INVALID_STATUS; |
| wolfSSL | 15:117db924cf7c | 210 | |
| wolfSSL | 15:117db924cf7c | 211 | WOLFSSL_ENTER("GetOcspStatus"); |
| wolfSSL | 15:117db924cf7c | 212 | |
| wolfSSL | 15:117db924cf7c | 213 | *status = NULL; |
| wolfSSL | 15:117db924cf7c | 214 | |
| wolfSSL | 15:117db924cf7c | 215 | if (wc_LockMutex(&ocsp->ocspLock) != 0) { |
| wolfSSL | 15:117db924cf7c | 216 | WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); |
| wolfSSL | 15:117db924cf7c | 217 | return BAD_MUTEX_E; |
| wolfSSL | 15:117db924cf7c | 218 | } |
| wolfSSL | 15:117db924cf7c | 219 | |
| wolfSSL | 15:117db924cf7c | 220 | for (*status = entry->status; *status; *status = (*status)->next) |
| wolfSSL | 15:117db924cf7c | 221 | if ((*status)->serialSz == request->serialSz |
| wolfSSL | 15:117db924cf7c | 222 | && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz)) |
| wolfSSL | 15:117db924cf7c | 223 | break; |
| wolfSSL | 15:117db924cf7c | 224 | |
| wolfSSL | 15:117db924cf7c | 225 | if (responseBuffer && *status && !(*status)->rawOcspResponse) { |
| wolfSSL | 15:117db924cf7c | 226 | /* force fetching again */ |
| wolfSSL | 15:117db924cf7c | 227 | ret = OCSP_INVALID_STATUS; |
| wolfSSL | 15:117db924cf7c | 228 | } |
| wolfSSL | 15:117db924cf7c | 229 | else if (*status) { |
| wolfSSL | 15:117db924cf7c | 230 | #ifndef NO_ASN_TIME |
| wolfSSL | 16:8e0d178b1d1e | 231 | if (XVALIDATE_DATE((*status)->thisDate, |
| wolfSSL | 16:8e0d178b1d1e | 232 | (*status)->thisDateFormat, BEFORE) |
| wolfSSL | 15:117db924cf7c | 233 | && ((*status)->nextDate[0] != 0) |
| wolfSSL | 16:8e0d178b1d1e | 234 | && XVALIDATE_DATE((*status)->nextDate, |
| wolfSSL | 16:8e0d178b1d1e | 235 | (*status)->nextDateFormat, AFTER)) |
| wolfSSL | 15:117db924cf7c | 236 | #endif |
| wolfSSL | 15:117db924cf7c | 237 | { |
| wolfSSL | 15:117db924cf7c | 238 | ret = xstat2err((*status)->status); |
| wolfSSL | 15:117db924cf7c | 239 | |
| wolfSSL | 15:117db924cf7c | 240 | if (responseBuffer) { |
| wolfSSL | 15:117db924cf7c | 241 | responseBuffer->buffer = (byte*)XMALLOC( |
| wolfSSL | 15:117db924cf7c | 242 | (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 243 | |
| wolfSSL | 15:117db924cf7c | 244 | if (responseBuffer->buffer) { |
| wolfSSL | 15:117db924cf7c | 245 | responseBuffer->length = (*status)->rawOcspResponseSz; |
| wolfSSL | 15:117db924cf7c | 246 | XMEMCPY(responseBuffer->buffer, |
| wolfSSL | 15:117db924cf7c | 247 | (*status)->rawOcspResponse, |
| wolfSSL | 15:117db924cf7c | 248 | (*status)->rawOcspResponseSz); |
| wolfSSL | 15:117db924cf7c | 249 | } |
| wolfSSL | 15:117db924cf7c | 250 | } |
| wolfSSL | 15:117db924cf7c | 251 | } |
| wolfSSL | 15:117db924cf7c | 252 | } |
| wolfSSL | 15:117db924cf7c | 253 | |
| wolfSSL | 15:117db924cf7c | 254 | wc_UnLockMutex(&ocsp->ocspLock); |
| wolfSSL | 15:117db924cf7c | 255 | |
| wolfSSL | 15:117db924cf7c | 256 | return ret; |
| wolfSSL | 15:117db924cf7c | 257 | } |
| wolfSSL | 15:117db924cf7c | 258 | |
| wolfSSL | 15:117db924cf7c | 259 | /* Check that the response for validity. Store result in status. |
| wolfSSL | 15:117db924cf7c | 260 | * |
| wolfSSL | 15:117db924cf7c | 261 | * ocsp Context object for OCSP status. |
| wolfSSL | 15:117db924cf7c | 262 | * response OCSP response message data. |
| wolfSSL | 15:117db924cf7c | 263 | * responseSz Length of OCSP response message data. |
| wolfSSL | 15:117db924cf7c | 264 | * reponseBuffer Buffer object to return the response with. |
| wolfSSL | 15:117db924cf7c | 265 | * status The certificate status object. |
| wolfSSL | 15:117db924cf7c | 266 | * entry The OCSP entry for this certificate. |
| wolfSSL | 15:117db924cf7c | 267 | * returns OCSP_LOOKUP_FAIL when the response is bad and 0 otherwise. |
| wolfSSL | 15:117db924cf7c | 268 | */ |
| wolfSSL | 16:8e0d178b1d1e | 269 | WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz, |
| wolfSSL | 16:8e0d178b1d1e | 270 | WOLFSSL_BUFFER_INFO *responseBuffer, CertStatus *status, |
| wolfSSL | 16:8e0d178b1d1e | 271 | OcspEntry *entry, OcspRequest *ocspRequest) |
| wolfSSL | 15:117db924cf7c | 272 | { |
| wolfSSL | 15:117db924cf7c | 273 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 15:117db924cf7c | 274 | CertStatus* newStatus; |
| wolfSSL | 15:117db924cf7c | 275 | OcspResponse* ocspResponse; |
| wolfSSL | 15:117db924cf7c | 276 | #else |
| wolfSSL | 15:117db924cf7c | 277 | CertStatus newStatus[1]; |
| wolfSSL | 15:117db924cf7c | 278 | OcspResponse ocspResponse[1]; |
| wolfSSL | 15:117db924cf7c | 279 | #endif |
| wolfSSL | 15:117db924cf7c | 280 | int ret; |
| wolfSSL | 15:117db924cf7c | 281 | int validated = 0; /* ocsp validation flag */ |
| wolfSSL | 15:117db924cf7c | 282 | |
| wolfSSL | 15:117db924cf7c | 283 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 15:117db924cf7c | 284 | newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, |
| wolfSSL | 15:117db924cf7c | 285 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 286 | ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, |
| wolfSSL | 15:117db924cf7c | 287 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 288 | |
| wolfSSL | 15:117db924cf7c | 289 | if (newStatus == NULL || ocspResponse == NULL) { |
| wolfSSL | 15:117db924cf7c | 290 | if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 291 | if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 292 | |
| wolfSSL | 15:117db924cf7c | 293 | WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); |
| wolfSSL | 15:117db924cf7c | 294 | return MEMORY_E; |
| wolfSSL | 15:117db924cf7c | 295 | } |
| wolfSSL | 15:117db924cf7c | 296 | #endif |
| wolfSSL | 15:117db924cf7c | 297 | XMEMSET(newStatus, 0, sizeof(CertStatus)); |
| wolfSSL | 15:117db924cf7c | 298 | |
| wolfSSL | 15:117db924cf7c | 299 | InitOcspResponse(ocspResponse, newStatus, response, responseSz); |
| wolfSSL | 15:117db924cf7c | 300 | ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0); |
| wolfSSL | 15:117db924cf7c | 301 | if (ret != 0) { |
| wolfSSL | 16:8e0d178b1d1e | 302 | ocsp->error = ret; |
| wolfSSL | 16:8e0d178b1d1e | 303 | WOLFSSL_LEAVE("OcspResponseDecode failed", ocsp->error); |
| wolfSSL | 15:117db924cf7c | 304 | goto end; |
| wolfSSL | 15:117db924cf7c | 305 | } |
| wolfSSL | 15:117db924cf7c | 306 | |
| wolfSSL | 15:117db924cf7c | 307 | if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) { |
| wolfSSL | 15:117db924cf7c | 308 | WOLFSSL_MSG("OcspResponse status bad"); |
| wolfSSL | 15:117db924cf7c | 309 | goto end; |
| wolfSSL | 15:117db924cf7c | 310 | } |
| wolfSSL | 15:117db924cf7c | 311 | if (ocspRequest != NULL) { |
| wolfSSL | 15:117db924cf7c | 312 | ret = CompareOcspReqResp(ocspRequest, ocspResponse); |
| wolfSSL | 15:117db924cf7c | 313 | if (ret != 0) { |
| wolfSSL | 15:117db924cf7c | 314 | goto end; |
| wolfSSL | 15:117db924cf7c | 315 | } |
| wolfSSL | 15:117db924cf7c | 316 | } |
| wolfSSL | 15:117db924cf7c | 317 | |
| wolfSSL | 15:117db924cf7c | 318 | if (responseBuffer) { |
| wolfSSL | 15:117db924cf7c | 319 | responseBuffer->buffer = (byte*)XMALLOC(responseSz, ocsp->cm->heap, |
| wolfSSL | 15:117db924cf7c | 320 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 321 | |
| wolfSSL | 15:117db924cf7c | 322 | if (responseBuffer->buffer) { |
| wolfSSL | 15:117db924cf7c | 323 | responseBuffer->length = responseSz; |
| wolfSSL | 15:117db924cf7c | 324 | XMEMCPY(responseBuffer->buffer, response, responseSz); |
| wolfSSL | 15:117db924cf7c | 325 | } |
| wolfSSL | 15:117db924cf7c | 326 | } |
| wolfSSL | 15:117db924cf7c | 327 | |
| wolfSSL | 15:117db924cf7c | 328 | ret = xstat2err(ocspResponse->status->status); |
| wolfSSL | 15:117db924cf7c | 329 | if (ret == 0) { |
| wolfSSL | 15:117db924cf7c | 330 | validated = 1; |
| wolfSSL | 15:117db924cf7c | 331 | } |
| wolfSSL | 15:117db924cf7c | 332 | |
| wolfSSL | 15:117db924cf7c | 333 | if (wc_LockMutex(&ocsp->ocspLock) != 0) { |
| wolfSSL | 15:117db924cf7c | 334 | ret = BAD_MUTEX_E; |
| wolfSSL | 15:117db924cf7c | 335 | goto end; |
| wolfSSL | 15:117db924cf7c | 336 | } |
| wolfSSL | 15:117db924cf7c | 337 | |
| wolfSSL | 15:117db924cf7c | 338 | if (status != NULL) { |
| wolfSSL | 15:117db924cf7c | 339 | if (status->rawOcspResponse) { |
| wolfSSL | 15:117db924cf7c | 340 | XFREE(status->rawOcspResponse, ocsp->cm->heap, |
| wolfSSL | 15:117db924cf7c | 341 | DYNAMIC_TYPE_OCSP_STATUS); |
| wolfSSL | 15:117db924cf7c | 342 | } |
| wolfSSL | 15:117db924cf7c | 343 | |
| wolfSSL | 15:117db924cf7c | 344 | /* Replace existing certificate entry with updated */ |
| wolfSSL | 16:8e0d178b1d1e | 345 | newStatus->next = status->next; |
| wolfSSL | 15:117db924cf7c | 346 | XMEMCPY(status, newStatus, sizeof(CertStatus)); |
| wolfSSL | 15:117db924cf7c | 347 | } |
| wolfSSL | 15:117db924cf7c | 348 | else { |
| wolfSSL | 15:117db924cf7c | 349 | /* Save new certificate entry */ |
| wolfSSL | 15:117db924cf7c | 350 | status = (CertStatus*)XMALLOC(sizeof(CertStatus), |
| wolfSSL | 15:117db924cf7c | 351 | ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS); |
| wolfSSL | 15:117db924cf7c | 352 | if (status != NULL) { |
| wolfSSL | 15:117db924cf7c | 353 | XMEMCPY(status, newStatus, sizeof(CertStatus)); |
| wolfSSL | 15:117db924cf7c | 354 | status->next = entry->status; |
| wolfSSL | 15:117db924cf7c | 355 | entry->status = status; |
| wolfSSL | 15:117db924cf7c | 356 | entry->totalStatus++; |
| wolfSSL | 15:117db924cf7c | 357 | } |
| wolfSSL | 15:117db924cf7c | 358 | } |
| wolfSSL | 15:117db924cf7c | 359 | |
| wolfSSL | 15:117db924cf7c | 360 | if (status && responseBuffer && responseBuffer->buffer) { |
| wolfSSL | 15:117db924cf7c | 361 | status->rawOcspResponse = (byte*)XMALLOC(responseBuffer->length, |
| wolfSSL | 15:117db924cf7c | 362 | ocsp->cm->heap, |
| wolfSSL | 15:117db924cf7c | 363 | DYNAMIC_TYPE_OCSP_STATUS); |
| wolfSSL | 15:117db924cf7c | 364 | |
| wolfSSL | 15:117db924cf7c | 365 | if (status->rawOcspResponse) { |
| wolfSSL | 15:117db924cf7c | 366 | status->rawOcspResponseSz = responseBuffer->length; |
| wolfSSL | 15:117db924cf7c | 367 | XMEMCPY(status->rawOcspResponse, responseBuffer->buffer, |
| wolfSSL | 15:117db924cf7c | 368 | responseBuffer->length); |
| wolfSSL | 15:117db924cf7c | 369 | } |
| wolfSSL | 15:117db924cf7c | 370 | } |
| wolfSSL | 15:117db924cf7c | 371 | |
| wolfSSL | 15:117db924cf7c | 372 | wc_UnLockMutex(&ocsp->ocspLock); |
| wolfSSL | 15:117db924cf7c | 373 | |
| wolfSSL | 15:117db924cf7c | 374 | end: |
| wolfSSL | 15:117db924cf7c | 375 | if (ret == 0 && validated == 1) { |
| wolfSSL | 15:117db924cf7c | 376 | WOLFSSL_MSG("New OcspResponse validated"); |
| wolfSSL | 15:117db924cf7c | 377 | } else if (ret != OCSP_CERT_REVOKED) { |
| wolfSSL | 15:117db924cf7c | 378 | ret = OCSP_LOOKUP_FAIL; |
| wolfSSL | 15:117db924cf7c | 379 | } |
| wolfSSL | 15:117db924cf7c | 380 | |
| wolfSSL | 15:117db924cf7c | 381 | #ifdef WOLFSSL_SMALL_STACK |
| wolfSSL | 15:117db924cf7c | 382 | XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 383 | XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 384 | #endif |
| wolfSSL | 15:117db924cf7c | 385 | return ret; |
| wolfSSL | 15:117db924cf7c | 386 | } |
| wolfSSL | 15:117db924cf7c | 387 | |
| wolfSSL | 15:117db924cf7c | 388 | /* 0 on success */ |
| wolfSSL | 15:117db924cf7c | 389 | int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, |
| wolfSSL | 15:117db924cf7c | 390 | buffer* responseBuffer) |
| wolfSSL | 15:117db924cf7c | 391 | { |
| wolfSSL | 15:117db924cf7c | 392 | OcspEntry* entry = NULL; |
| wolfSSL | 15:117db924cf7c | 393 | CertStatus* status = NULL; |
| wolfSSL | 15:117db924cf7c | 394 | byte* request = NULL; |
| wolfSSL | 15:117db924cf7c | 395 | int requestSz = 2048; |
| wolfSSL | 15:117db924cf7c | 396 | int responseSz = 0; |
| wolfSSL | 15:117db924cf7c | 397 | byte* response = NULL; |
| wolfSSL | 15:117db924cf7c | 398 | const char* url = NULL; |
| wolfSSL | 15:117db924cf7c | 399 | int urlSz = 0; |
| wolfSSL | 15:117db924cf7c | 400 | int ret = -1; |
| wolfSSL | 15:117db924cf7c | 401 | WOLFSSL* ssl; |
| wolfSSL | 15:117db924cf7c | 402 | void* ioCtx; |
| wolfSSL | 15:117db924cf7c | 403 | |
| wolfSSL | 15:117db924cf7c | 404 | WOLFSSL_ENTER("CheckOcspRequest"); |
| wolfSSL | 15:117db924cf7c | 405 | |
| wolfSSL | 15:117db924cf7c | 406 | if (ocsp == NULL || ocspRequest == NULL) |
| wolfSSL | 15:117db924cf7c | 407 | return BAD_FUNC_ARG; |
| wolfSSL | 15:117db924cf7c | 408 | |
| wolfSSL | 15:117db924cf7c | 409 | if (responseBuffer) { |
| wolfSSL | 15:117db924cf7c | 410 | responseBuffer->buffer = NULL; |
| wolfSSL | 15:117db924cf7c | 411 | responseBuffer->length = 0; |
| wolfSSL | 15:117db924cf7c | 412 | } |
| wolfSSL | 15:117db924cf7c | 413 | |
| wolfSSL | 15:117db924cf7c | 414 | ret = GetOcspEntry(ocsp, ocspRequest, &entry); |
| wolfSSL | 15:117db924cf7c | 415 | if (ret != 0) |
| wolfSSL | 15:117db924cf7c | 416 | return ret; |
| wolfSSL | 15:117db924cf7c | 417 | |
| wolfSSL | 15:117db924cf7c | 418 | ret = GetOcspStatus(ocsp, ocspRequest, entry, &status, responseBuffer); |
| wolfSSL | 15:117db924cf7c | 419 | if (ret != OCSP_INVALID_STATUS) |
| wolfSSL | 15:117db924cf7c | 420 | return ret; |
| wolfSSL | 15:117db924cf7c | 421 | |
| wolfSSL | 15:117db924cf7c | 422 | /* get SSL and IOCtx */ |
| wolfSSL | 15:117db924cf7c | 423 | ssl = (WOLFSSL*)ocspRequest->ssl; |
| wolfSSL | 15:117db924cf7c | 424 | ioCtx = (ssl && ssl->ocspIOCtx != NULL) ? |
| wolfSSL | 15:117db924cf7c | 425 | ssl->ocspIOCtx : ocsp->cm->ocspIOCtx; |
| wolfSSL | 15:117db924cf7c | 426 | |
| wolfSSL | 15:117db924cf7c | 427 | #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) |
| wolfSSL | 15:117db924cf7c | 428 | if (ocsp->statusCb != NULL && ssl != NULL) { |
| wolfSSL | 15:117db924cf7c | 429 | ret = ocsp->statusCb(ssl, ioCtx); |
| wolfSSL | 15:117db924cf7c | 430 | if (ret == 0) { |
| wolfSSL | 15:117db924cf7c | 431 | ret = wolfSSL_get_ocsp_response(ssl, &response); |
| wolfSSL | 16:8e0d178b1d1e | 432 | ret = CheckOcspResponse(ocsp, response, ret, responseBuffer, status, |
| wolfSSL | 15:117db924cf7c | 433 | entry, NULL); |
| wolfSSL | 15:117db924cf7c | 434 | if (response != NULL) |
| wolfSSL | 15:117db924cf7c | 435 | XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 436 | return ret; |
| wolfSSL | 15:117db924cf7c | 437 | } |
| wolfSSL | 16:8e0d178b1d1e | 438 | WOLFSSL_LEAVE("CheckOcspRequest", ocsp->error); |
| wolfSSL | 15:117db924cf7c | 439 | return OCSP_LOOKUP_FAIL; |
| wolfSSL | 15:117db924cf7c | 440 | } |
| wolfSSL | 15:117db924cf7c | 441 | #endif |
| wolfSSL | 15:117db924cf7c | 442 | |
| wolfSSL | 15:117db924cf7c | 443 | if (ocsp->cm->ocspUseOverrideURL) { |
| wolfSSL | 15:117db924cf7c | 444 | url = ocsp->cm->ocspOverrideURL; |
| wolfSSL | 15:117db924cf7c | 445 | if (url != NULL && url[0] != '\0') |
| wolfSSL | 15:117db924cf7c | 446 | urlSz = (int)XSTRLEN(url); |
| wolfSSL | 15:117db924cf7c | 447 | else |
| wolfSSL | 15:117db924cf7c | 448 | return OCSP_NEED_URL; |
| wolfSSL | 15:117db924cf7c | 449 | } |
| wolfSSL | 15:117db924cf7c | 450 | else if (ocspRequest->urlSz != 0 && ocspRequest->url != NULL) { |
| wolfSSL | 15:117db924cf7c | 451 | url = (const char *)ocspRequest->url; |
| wolfSSL | 15:117db924cf7c | 452 | urlSz = ocspRequest->urlSz; |
| wolfSSL | 15:117db924cf7c | 453 | } |
| wolfSSL | 15:117db924cf7c | 454 | else { |
| wolfSSL | 15:117db924cf7c | 455 | /* cert doesn't have extAuthInfo, assuming CERT_GOOD */ |
| wolfSSL | 15:117db924cf7c | 456 | return 0; |
| wolfSSL | 15:117db924cf7c | 457 | } |
| wolfSSL | 15:117db924cf7c | 458 | |
| wolfSSL | 15:117db924cf7c | 459 | request = (byte*)XMALLOC(requestSz, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); |
| wolfSSL | 15:117db924cf7c | 460 | if (request == NULL) { |
| wolfSSL | 15:117db924cf7c | 461 | WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); |
| wolfSSL | 16:8e0d178b1d1e | 462 | if (responseBuffer) { |
| wolfSSL | 16:8e0d178b1d1e | 463 | XFREE(responseBuffer->buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 16:8e0d178b1d1e | 464 | responseBuffer->buffer = NULL; |
| wolfSSL | 16:8e0d178b1d1e | 465 | } |
| wolfSSL | 15:117db924cf7c | 466 | return MEMORY_ERROR; |
| wolfSSL | 15:117db924cf7c | 467 | } |
| wolfSSL | 15:117db924cf7c | 468 | |
| wolfSSL | 15:117db924cf7c | 469 | requestSz = EncodeOcspRequest(ocspRequest, request, requestSz); |
| wolfSSL | 15:117db924cf7c | 470 | if (requestSz > 0 && ocsp->cm->ocspIOCb) { |
| wolfSSL | 15:117db924cf7c | 471 | responseSz = ocsp->cm->ocspIOCb(ioCtx, url, urlSz, |
| wolfSSL | 15:117db924cf7c | 472 | request, requestSz, &response); |
| wolfSSL | 15:117db924cf7c | 473 | } |
| wolfSSL | 15:117db924cf7c | 474 | if (responseSz == WOLFSSL_CBIO_ERR_WANT_READ) { |
| wolfSSL | 15:117db924cf7c | 475 | ret = OCSP_WANT_READ; |
| wolfSSL | 15:117db924cf7c | 476 | } |
| wolfSSL | 15:117db924cf7c | 477 | |
| wolfSSL | 15:117db924cf7c | 478 | XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); |
| wolfSSL | 15:117db924cf7c | 479 | |
| wolfSSL | 15:117db924cf7c | 480 | if (responseSz >= 0 && response) { |
| wolfSSL | 16:8e0d178b1d1e | 481 | ret = CheckOcspResponse(ocsp, response, responseSz, responseBuffer, status, |
| wolfSSL | 15:117db924cf7c | 482 | entry, ocspRequest); |
| wolfSSL | 15:117db924cf7c | 483 | } |
| wolfSSL | 15:117db924cf7c | 484 | |
| wolfSSL | 15:117db924cf7c | 485 | if (response != NULL && ocsp->cm->ocspRespFreeCb) |
| wolfSSL | 15:117db924cf7c | 486 | ocsp->cm->ocspRespFreeCb(ioCtx, response); |
| wolfSSL | 15:117db924cf7c | 487 | |
| wolfSSL | 16:8e0d178b1d1e | 488 | /* Keep responseBuffer in the case of getting to response check. Caller |
| wolfSSL | 16:8e0d178b1d1e | 489 | * should free responseBuffer after checking OCSP return value in "ret" */ |
| wolfSSL | 15:117db924cf7c | 490 | WOLFSSL_LEAVE("CheckOcspRequest", ret); |
| wolfSSL | 15:117db924cf7c | 491 | return ret; |
| wolfSSL | 15:117db924cf7c | 492 | } |
| wolfSSL | 15:117db924cf7c | 493 | |
| wolfSSL | 16:8e0d178b1d1e | 494 | #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ |
| wolfSSL | 16:8e0d178b1d1e | 495 | defined(WOLFSSL_APACHE_HTTPD) |
| wolfSSL | 15:117db924cf7c | 496 | |
| wolfSSL | 15:117db924cf7c | 497 | int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, |
| wolfSSL | 15:117db924cf7c | 498 | WOLFSSL_OCSP_CERTID* id, int* status, int* reason, |
| wolfSSL | 15:117db924cf7c | 499 | WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd, |
| wolfSSL | 15:117db924cf7c | 500 | WOLFSSL_ASN1_TIME** nextupd) |
| wolfSSL | 15:117db924cf7c | 501 | { |
| wolfSSL | 15:117db924cf7c | 502 | if (bs == NULL || id == NULL) |
| wolfSSL | 15:117db924cf7c | 503 | return WOLFSSL_FAILURE; |
| wolfSSL | 15:117db924cf7c | 504 | |
| wolfSSL | 15:117db924cf7c | 505 | /* Only supporting one certificate status in asn.c. */ |
| wolfSSL | 15:117db924cf7c | 506 | if (CompareOcspReqResp(id, bs) != 0) |
| wolfSSL | 15:117db924cf7c | 507 | return WOLFSSL_FAILURE; |
| wolfSSL | 15:117db924cf7c | 508 | |
| wolfSSL | 15:117db924cf7c | 509 | if (status != NULL) |
| wolfSSL | 15:117db924cf7c | 510 | *status = bs->status->status; |
| wolfSSL | 15:117db924cf7c | 511 | if (thisupd != NULL) |
| wolfSSL | 16:8e0d178b1d1e | 512 | *thisupd = &bs->status->thisDateParsed; |
| wolfSSL | 15:117db924cf7c | 513 | if (nextupd != NULL) |
| wolfSSL | 16:8e0d178b1d1e | 514 | *nextupd = &bs->status->nextDateParsed; |
| wolfSSL | 15:117db924cf7c | 515 | |
| wolfSSL | 15:117db924cf7c | 516 | /* TODO: Not needed for Nginx. */ |
| wolfSSL | 15:117db924cf7c | 517 | if (reason != NULL) |
| wolfSSL | 15:117db924cf7c | 518 | *reason = 0; |
| wolfSSL | 15:117db924cf7c | 519 | if (revtime != NULL) |
| wolfSSL | 15:117db924cf7c | 520 | *revtime = NULL; |
| wolfSSL | 15:117db924cf7c | 521 | |
| wolfSSL | 15:117db924cf7c | 522 | return WOLFSSL_SUCCESS; |
| wolfSSL | 15:117db924cf7c | 523 | } |
| wolfSSL | 15:117db924cf7c | 524 | |
| wolfSSL | 15:117db924cf7c | 525 | const char *wolfSSL_OCSP_cert_status_str(long s) |
| wolfSSL | 15:117db924cf7c | 526 | { |
| wolfSSL | 15:117db924cf7c | 527 | switch (s) { |
| wolfSSL | 15:117db924cf7c | 528 | case CERT_GOOD: |
| wolfSSL | 15:117db924cf7c | 529 | return "good"; |
| wolfSSL | 15:117db924cf7c | 530 | case CERT_REVOKED: |
| wolfSSL | 15:117db924cf7c | 531 | return "revoked"; |
| wolfSSL | 15:117db924cf7c | 532 | case CERT_UNKNOWN: |
| wolfSSL | 15:117db924cf7c | 533 | return "unknown"; |
| wolfSSL | 15:117db924cf7c | 534 | default: |
| wolfSSL | 15:117db924cf7c | 535 | return "(UNKNOWN)"; |
| wolfSSL | 15:117db924cf7c | 536 | } |
| wolfSSL | 15:117db924cf7c | 537 | } |
| wolfSSL | 15:117db924cf7c | 538 | |
| wolfSSL | 15:117db924cf7c | 539 | int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd, |
| wolfSSL | 15:117db924cf7c | 540 | WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec) |
| wolfSSL | 15:117db924cf7c | 541 | { |
| wolfSSL | 15:117db924cf7c | 542 | (void)thisupd; |
| wolfSSL | 15:117db924cf7c | 543 | (void)nextupd; |
| wolfSSL | 15:117db924cf7c | 544 | (void)sec; |
| wolfSSL | 15:117db924cf7c | 545 | (void)maxsec; |
| wolfSSL | 15:117db924cf7c | 546 | /* Dates validated in DecodeSingleResponse. */ |
| wolfSSL | 15:117db924cf7c | 547 | return WOLFSSL_SUCCESS; |
| wolfSSL | 15:117db924cf7c | 548 | } |
| wolfSSL | 15:117db924cf7c | 549 | |
| wolfSSL | 15:117db924cf7c | 550 | void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId) |
| wolfSSL | 15:117db924cf7c | 551 | { |
| wolfSSL | 15:117db924cf7c | 552 | FreeOcspRequest(certId); |
| wolfSSL | 15:117db924cf7c | 553 | XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 554 | } |
| wolfSSL | 15:117db924cf7c | 555 | |
| wolfSSL | 15:117db924cf7c | 556 | WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( |
| wolfSSL | 15:117db924cf7c | 557 | const WOLFSSL_EVP_MD *dgst, const WOLFSSL_X509 *subject, |
| wolfSSL | 15:117db924cf7c | 558 | const WOLFSSL_X509 *issuer) |
| wolfSSL | 15:117db924cf7c | 559 | { |
| wolfSSL | 15:117db924cf7c | 560 | WOLFSSL_OCSP_CERTID* certId; |
| wolfSSL | 15:117db924cf7c | 561 | DecodedCert cert; |
| wolfSSL | 15:117db924cf7c | 562 | WOLFSSL_CERT_MANAGER* cm; |
| wolfSSL | 15:117db924cf7c | 563 | int ret; |
| wolfSSL | 15:117db924cf7c | 564 | DerBuffer* derCert = NULL; |
| wolfSSL | 15:117db924cf7c | 565 | |
| wolfSSL | 15:117db924cf7c | 566 | (void)dgst; |
| wolfSSL | 15:117db924cf7c | 567 | |
| wolfSSL | 15:117db924cf7c | 568 | cm = wolfSSL_CertManagerNew(); |
| wolfSSL | 15:117db924cf7c | 569 | if (cm == NULL) |
| wolfSSL | 15:117db924cf7c | 570 | return NULL; |
| wolfSSL | 15:117db924cf7c | 571 | |
| wolfSSL | 15:117db924cf7c | 572 | ret = AllocDer(&derCert, issuer->derCert->length, |
| wolfSSL | 15:117db924cf7c | 573 | issuer->derCert->type, NULL); |
| wolfSSL | 15:117db924cf7c | 574 | if (ret == 0) { |
| wolfSSL | 15:117db924cf7c | 575 | /* AddCA() frees the buffer. */ |
| wolfSSL | 15:117db924cf7c | 576 | XMEMCPY(derCert->buffer, issuer->derCert->buffer, |
| wolfSSL | 15:117db924cf7c | 577 | issuer->derCert->length); |
| wolfSSL | 15:117db924cf7c | 578 | AddCA(cm, &derCert, WOLFSSL_USER_CA, 1); |
| wolfSSL | 15:117db924cf7c | 579 | } |
| wolfSSL | 15:117db924cf7c | 580 | |
| wolfSSL | 15:117db924cf7c | 581 | certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), NULL, |
| wolfSSL | 15:117db924cf7c | 582 | DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 583 | if (certId != NULL) { |
| wolfSSL | 15:117db924cf7c | 584 | InitDecodedCert(&cert, subject->derCert->buffer, |
| wolfSSL | 15:117db924cf7c | 585 | subject->derCert->length, NULL); |
| wolfSSL | 15:117db924cf7c | 586 | if (ParseCertRelative(&cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) { |
| wolfSSL | 15:117db924cf7c | 587 | XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 588 | certId = NULL; |
| wolfSSL | 15:117db924cf7c | 589 | } |
| wolfSSL | 15:117db924cf7c | 590 | else { |
| wolfSSL | 15:117db924cf7c | 591 | ret = InitOcspRequest(certId, &cert, 0, NULL); |
| wolfSSL | 15:117db924cf7c | 592 | if (ret != 0) { |
| wolfSSL | 15:117db924cf7c | 593 | XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 594 | certId = NULL; |
| wolfSSL | 15:117db924cf7c | 595 | } |
| wolfSSL | 15:117db924cf7c | 596 | } |
| wolfSSL | 15:117db924cf7c | 597 | FreeDecodedCert(&cert); |
| wolfSSL | 15:117db924cf7c | 598 | } |
| wolfSSL | 15:117db924cf7c | 599 | |
| wolfSSL | 15:117db924cf7c | 600 | wolfSSL_CertManagerFree(cm); |
| wolfSSL | 15:117db924cf7c | 601 | |
| wolfSSL | 15:117db924cf7c | 602 | return certId; |
| wolfSSL | 15:117db924cf7c | 603 | } |
| wolfSSL | 15:117db924cf7c | 604 | |
| wolfSSL | 15:117db924cf7c | 605 | void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse) |
| wolfSSL | 15:117db924cf7c | 606 | { |
| wolfSSL | 15:117db924cf7c | 607 | wolfSSL_OCSP_RESPONSE_free(basicResponse); |
| wolfSSL | 15:117db924cf7c | 608 | } |
| wolfSSL | 15:117db924cf7c | 609 | |
| wolfSSL | 15:117db924cf7c | 610 | /* Signature verified in DecodeBasicOcspResponse. |
| wolfSSL | 15:117db924cf7c | 611 | * But no store available to verify certificate. */ |
| wolfSSL | 15:117db924cf7c | 612 | int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, |
| wolfSSL | 15:117db924cf7c | 613 | WOLF_STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags) |
| wolfSSL | 15:117db924cf7c | 614 | { |
| wolfSSL | 15:117db924cf7c | 615 | DecodedCert cert; |
| wolfSSL | 15:117db924cf7c | 616 | int ret = WOLFSSL_SUCCESS; |
| wolfSSL | 15:117db924cf7c | 617 | |
| wolfSSL | 15:117db924cf7c | 618 | (void)certs; |
| wolfSSL | 15:117db924cf7c | 619 | |
| wolfSSL | 15:117db924cf7c | 620 | if (flags & OCSP_NOVERIFY) |
| wolfSSL | 15:117db924cf7c | 621 | return WOLFSSL_SUCCESS; |
| wolfSSL | 15:117db924cf7c | 622 | |
| wolfSSL | 15:117db924cf7c | 623 | #ifdef OPENSSL_EXTRA |
| wolfSSL | 15:117db924cf7c | 624 | if (bs->verifyError != OCSP_VERIFY_ERROR_NONE) |
| wolfSSL | 15:117db924cf7c | 625 | return WOLFSSL_FAILURE; |
| wolfSSL | 15:117db924cf7c | 626 | #endif |
| wolfSSL | 15:117db924cf7c | 627 | |
| wolfSSL | 15:117db924cf7c | 628 | InitDecodedCert(&cert, bs->cert, bs->certSz, NULL); |
| wolfSSL | 15:117db924cf7c | 629 | if (ParseCertRelative(&cert, CERT_TYPE, VERIFY, st->cm) < 0) |
| wolfSSL | 15:117db924cf7c | 630 | ret = WOLFSSL_FAILURE; |
| wolfSSL | 15:117db924cf7c | 631 | FreeDecodedCert(&cert); |
| wolfSSL | 15:117db924cf7c | 632 | |
| wolfSSL | 15:117db924cf7c | 633 | return ret; |
| wolfSSL | 15:117db924cf7c | 634 | } |
| wolfSSL | 15:117db924cf7c | 635 | |
| wolfSSL | 15:117db924cf7c | 636 | void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response) |
| wolfSSL | 15:117db924cf7c | 637 | { |
| wolfSSL | 15:117db924cf7c | 638 | if (response->status != NULL) |
| wolfSSL | 15:117db924cf7c | 639 | XFREE(response->status, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 640 | if (response->source != NULL) |
| wolfSSL | 15:117db924cf7c | 641 | XFREE(response->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 642 | XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 643 | } |
| wolfSSL | 15:117db924cf7c | 644 | |
| wolfSSL | 15:117db924cf7c | 645 | OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio, |
| wolfSSL | 15:117db924cf7c | 646 | OcspResponse** response) |
| wolfSSL | 15:117db924cf7c | 647 | { |
| wolfSSL | 15:117db924cf7c | 648 | byte* data; |
| wolfSSL | 15:117db924cf7c | 649 | byte* p; |
| wolfSSL | 15:117db924cf7c | 650 | int len; |
| wolfSSL | 15:117db924cf7c | 651 | int dataAlloced = 0; |
| wolfSSL | 15:117db924cf7c | 652 | OcspResponse* ret = NULL; |
| wolfSSL | 15:117db924cf7c | 653 | |
| wolfSSL | 15:117db924cf7c | 654 | if (bio == NULL) |
| wolfSSL | 15:117db924cf7c | 655 | return NULL; |
| wolfSSL | 15:117db924cf7c | 656 | |
| wolfSSL | 15:117db924cf7c | 657 | if (bio->type == WOLFSSL_BIO_MEMORY) { |
| wolfSSL | 15:117db924cf7c | 658 | len = wolfSSL_BIO_get_mem_data(bio, &data); |
| wolfSSL | 15:117db924cf7c | 659 | if (len <= 0 || data == NULL) { |
| wolfSSL | 15:117db924cf7c | 660 | return NULL; |
| wolfSSL | 15:117db924cf7c | 661 | } |
| wolfSSL | 15:117db924cf7c | 662 | } |
| wolfSSL | 15:117db924cf7c | 663 | #ifndef NO_FILESYSTEM |
| wolfSSL | 15:117db924cf7c | 664 | else if (bio->type == WOLFSSL_BIO_FILE) { |
| wolfSSL | 16:8e0d178b1d1e | 665 | long fcur; |
| wolfSSL | 16:8e0d178b1d1e | 666 | long flen; |
| wolfSSL | 15:117db924cf7c | 667 | |
| wolfSSL | 16:8e0d178b1d1e | 668 | if (bio->ptr == NULL) |
| wolfSSL | 15:117db924cf7c | 669 | return NULL; |
| wolfSSL | 16:8e0d178b1d1e | 670 | |
| wolfSSL | 16:8e0d178b1d1e | 671 | fcur = XFTELL((XFILE)bio->ptr); |
| wolfSSL | 16:8e0d178b1d1e | 672 | if (fcur < 0) |
| wolfSSL | 15:117db924cf7c | 673 | return NULL; |
| wolfSSL | 16:8e0d178b1d1e | 674 | if(XFSEEK((XFILE)bio->ptr, 0, SEEK_END) != 0) |
| wolfSSL | 16:8e0d178b1d1e | 675 | return NULL; |
| wolfSSL | 16:8e0d178b1d1e | 676 | flen = XFTELL((XFILE)bio->ptr); |
| wolfSSL | 16:8e0d178b1d1e | 677 | if (flen < 0) |
| wolfSSL | 16:8e0d178b1d1e | 678 | return NULL; |
| wolfSSL | 16:8e0d178b1d1e | 679 | if (XFSEEK((XFILE)bio->ptr, fcur, SEEK_SET) != 0) |
| wolfSSL | 15:117db924cf7c | 680 | return NULL; |
| wolfSSL | 15:117db924cf7c | 681 | |
| wolfSSL | 15:117db924cf7c | 682 | /* check calculated length */ |
| wolfSSL | 16:8e0d178b1d1e | 683 | fcur = flen - fcur; |
| wolfSSL | 16:8e0d178b1d1e | 684 | if (fcur > MAX_WOLFSSL_FILE_SIZE || fcur <= 0) |
| wolfSSL | 15:117db924cf7c | 685 | return NULL; |
| wolfSSL | 15:117db924cf7c | 686 | |
| wolfSSL | 16:8e0d178b1d1e | 687 | data = (byte*)XMALLOC(fcur, 0, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 688 | if (data == NULL) |
| wolfSSL | 15:117db924cf7c | 689 | return NULL; |
| wolfSSL | 15:117db924cf7c | 690 | dataAlloced = 1; |
| wolfSSL | 15:117db924cf7c | 691 | |
| wolfSSL | 16:8e0d178b1d1e | 692 | len = wolfSSL_BIO_read(bio, (char *)data, (int)flen); |
| wolfSSL | 15:117db924cf7c | 693 | } |
| wolfSSL | 15:117db924cf7c | 694 | #endif |
| wolfSSL | 15:117db924cf7c | 695 | else |
| wolfSSL | 15:117db924cf7c | 696 | return NULL; |
| wolfSSL | 15:117db924cf7c | 697 | |
| wolfSSL | 15:117db924cf7c | 698 | if (len > 0) { |
| wolfSSL | 15:117db924cf7c | 699 | p = data; |
| wolfSSL | 16:8e0d178b1d1e | 700 | ret = wolfSSL_d2i_OCSP_RESPONSE(response, (const unsigned char **)&p, |
| wolfSSL | 16:8e0d178b1d1e | 701 | len); |
| wolfSSL | 15:117db924cf7c | 702 | } |
| wolfSSL | 15:117db924cf7c | 703 | |
| wolfSSL | 15:117db924cf7c | 704 | if (dataAlloced) |
| wolfSSL | 15:117db924cf7c | 705 | XFREE(data, 0, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 706 | |
| wolfSSL | 15:117db924cf7c | 707 | return ret; |
| wolfSSL | 15:117db924cf7c | 708 | } |
| wolfSSL | 15:117db924cf7c | 709 | |
| wolfSSL | 15:117db924cf7c | 710 | OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, |
| wolfSSL | 15:117db924cf7c | 711 | const unsigned char** data, int len) |
| wolfSSL | 15:117db924cf7c | 712 | { |
| wolfSSL | 15:117db924cf7c | 713 | OcspResponse *resp = NULL; |
| wolfSSL | 15:117db924cf7c | 714 | word32 idx = 0; |
| wolfSSL | 15:117db924cf7c | 715 | int length = 0; |
| wolfSSL | 15:117db924cf7c | 716 | |
| wolfSSL | 15:117db924cf7c | 717 | if (data == NULL) |
| wolfSSL | 15:117db924cf7c | 718 | return NULL; |
| wolfSSL | 15:117db924cf7c | 719 | |
| wolfSSL | 15:117db924cf7c | 720 | if (response != NULL) |
| wolfSSL | 15:117db924cf7c | 721 | resp = *response; |
| wolfSSL | 15:117db924cf7c | 722 | if (resp == NULL) { |
| wolfSSL | 15:117db924cf7c | 723 | resp = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, |
| wolfSSL | 15:117db924cf7c | 724 | DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 725 | if (resp == NULL) |
| wolfSSL | 15:117db924cf7c | 726 | return NULL; |
| wolfSSL | 15:117db924cf7c | 727 | XMEMSET(resp, 0, sizeof(OcspResponse)); |
| wolfSSL | 15:117db924cf7c | 728 | } |
| wolfSSL | 15:117db924cf7c | 729 | |
| wolfSSL | 15:117db924cf7c | 730 | resp->source = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 731 | if (resp->source == NULL) { |
| wolfSSL | 15:117db924cf7c | 732 | XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 733 | return NULL; |
| wolfSSL | 15:117db924cf7c | 734 | } |
| wolfSSL | 15:117db924cf7c | 735 | resp->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, |
| wolfSSL | 15:117db924cf7c | 736 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 737 | if (resp->status == NULL) { |
| wolfSSL | 15:117db924cf7c | 738 | XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 739 | XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 740 | return NULL; |
| wolfSSL | 15:117db924cf7c | 741 | } |
| wolfSSL | 15:117db924cf7c | 742 | |
| wolfSSL | 15:117db924cf7c | 743 | XMEMCPY(resp->source, *data, len); |
| wolfSSL | 15:117db924cf7c | 744 | resp->maxIdx = len; |
| wolfSSL | 15:117db924cf7c | 745 | |
| wolfSSL | 15:117db924cf7c | 746 | if (OcspResponseDecode(resp, NULL, NULL, 1) != 0) { |
| wolfSSL | 15:117db924cf7c | 747 | wolfSSL_OCSP_RESPONSE_free(resp); |
| wolfSSL | 15:117db924cf7c | 748 | return NULL; |
| wolfSSL | 15:117db924cf7c | 749 | } |
| wolfSSL | 15:117db924cf7c | 750 | |
| wolfSSL | 15:117db924cf7c | 751 | if (GetSequence(*data, &idx, &length, len) >= 0) |
| wolfSSL | 15:117db924cf7c | 752 | (*data) += idx + length; |
| wolfSSL | 15:117db924cf7c | 753 | |
| wolfSSL | 15:117db924cf7c | 754 | return resp; |
| wolfSSL | 15:117db924cf7c | 755 | } |
| wolfSSL | 15:117db924cf7c | 756 | |
| wolfSSL | 15:117db924cf7c | 757 | int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response, |
| wolfSSL | 15:117db924cf7c | 758 | unsigned char** data) |
| wolfSSL | 15:117db924cf7c | 759 | { |
| wolfSSL | 15:117db924cf7c | 760 | if (data == NULL) |
| wolfSSL | 15:117db924cf7c | 761 | return response->maxIdx; |
| wolfSSL | 15:117db924cf7c | 762 | |
| wolfSSL | 15:117db924cf7c | 763 | XMEMCPY(*data, response->source, response->maxIdx); |
| wolfSSL | 15:117db924cf7c | 764 | return response->maxIdx; |
| wolfSSL | 15:117db924cf7c | 765 | } |
| wolfSSL | 15:117db924cf7c | 766 | |
| wolfSSL | 15:117db924cf7c | 767 | int wolfSSL_OCSP_response_status(OcspResponse *response) |
| wolfSSL | 15:117db924cf7c | 768 | { |
| wolfSSL | 15:117db924cf7c | 769 | return response->responseStatus; |
| wolfSSL | 15:117db924cf7c | 770 | } |
| wolfSSL | 15:117db924cf7c | 771 | |
| wolfSSL | 15:117db924cf7c | 772 | const char *wolfSSL_OCSP_response_status_str(long s) |
| wolfSSL | 15:117db924cf7c | 773 | { |
| wolfSSL | 15:117db924cf7c | 774 | switch (s) { |
| wolfSSL | 15:117db924cf7c | 775 | case OCSP_SUCCESSFUL: |
| wolfSSL | 15:117db924cf7c | 776 | return "successful"; |
| wolfSSL | 15:117db924cf7c | 777 | case OCSP_MALFORMED_REQUEST: |
| wolfSSL | 15:117db924cf7c | 778 | return "malformedrequest"; |
| wolfSSL | 15:117db924cf7c | 779 | case OCSP_INTERNAL_ERROR: |
| wolfSSL | 15:117db924cf7c | 780 | return "internalerror"; |
| wolfSSL | 15:117db924cf7c | 781 | case OCSP_TRY_LATER: |
| wolfSSL | 15:117db924cf7c | 782 | return "trylater"; |
| wolfSSL | 15:117db924cf7c | 783 | case OCSP_SIG_REQUIRED: |
| wolfSSL | 15:117db924cf7c | 784 | return "sigrequired"; |
| wolfSSL | 15:117db924cf7c | 785 | case OCSP_UNAUTHROIZED: |
| wolfSSL | 15:117db924cf7c | 786 | return "unauthorized"; |
| wolfSSL | 15:117db924cf7c | 787 | default: |
| wolfSSL | 15:117db924cf7c | 788 | return "(UNKNOWN)"; |
| wolfSSL | 15:117db924cf7c | 789 | } |
| wolfSSL | 15:117db924cf7c | 790 | } |
| wolfSSL | 15:117db924cf7c | 791 | |
| wolfSSL | 15:117db924cf7c | 792 | WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response) |
| wolfSSL | 15:117db924cf7c | 793 | { |
| wolfSSL | 15:117db924cf7c | 794 | WOLFSSL_OCSP_BASICRESP* bs; |
| wolfSSL | 15:117db924cf7c | 795 | |
| wolfSSL | 15:117db924cf7c | 796 | bs = (WOLFSSL_OCSP_BASICRESP*)XMALLOC(sizeof(WOLFSSL_OCSP_BASICRESP), NULL, |
| wolfSSL | 15:117db924cf7c | 797 | DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 798 | if (bs == NULL) |
| wolfSSL | 15:117db924cf7c | 799 | return NULL; |
| wolfSSL | 15:117db924cf7c | 800 | |
| wolfSSL | 15:117db924cf7c | 801 | XMEMCPY(bs, response, sizeof(OcspResponse)); |
| wolfSSL | 15:117db924cf7c | 802 | bs->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, |
| wolfSSL | 15:117db924cf7c | 803 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 804 | bs->source = (byte*)XMALLOC(bs->maxIdx, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 805 | if (bs->status == NULL || bs->source == NULL) { |
| wolfSSL | 15:117db924cf7c | 806 | if (bs->status) XFREE(bs->status, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 807 | if (bs->source) XFREE(bs->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 15:117db924cf7c | 808 | wolfSSL_OCSP_RESPONSE_free(bs); |
| wolfSSL | 15:117db924cf7c | 809 | bs = NULL; |
| wolfSSL | 15:117db924cf7c | 810 | } |
| wolfSSL | 15:117db924cf7c | 811 | else { |
| wolfSSL | 15:117db924cf7c | 812 | XMEMCPY(bs->status, response->status, sizeof(CertStatus)); |
| wolfSSL | 15:117db924cf7c | 813 | XMEMCPY(bs->source, response->source, response->maxIdx); |
| wolfSSL | 15:117db924cf7c | 814 | } |
| wolfSSL | 15:117db924cf7c | 815 | return bs; |
| wolfSSL | 15:117db924cf7c | 816 | } |
| wolfSSL | 15:117db924cf7c | 817 | |
| wolfSSL | 15:117db924cf7c | 818 | OcspRequest* wolfSSL_OCSP_REQUEST_new(void) |
| wolfSSL | 15:117db924cf7c | 819 | { |
| wolfSSL | 15:117db924cf7c | 820 | OcspRequest* request; |
| wolfSSL | 15:117db924cf7c | 821 | |
| wolfSSL | 15:117db924cf7c | 822 | request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, |
| wolfSSL | 15:117db924cf7c | 823 | DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 824 | if (request != NULL) |
| wolfSSL | 15:117db924cf7c | 825 | XMEMSET(request, 0, sizeof(OcspRequest)); |
| wolfSSL | 15:117db924cf7c | 826 | |
| wolfSSL | 15:117db924cf7c | 827 | return request; |
| wolfSSL | 15:117db924cf7c | 828 | } |
| wolfSSL | 15:117db924cf7c | 829 | |
| wolfSSL | 15:117db924cf7c | 830 | void wolfSSL_OCSP_REQUEST_free(OcspRequest* request) |
| wolfSSL | 15:117db924cf7c | 831 | { |
| wolfSSL | 15:117db924cf7c | 832 | FreeOcspRequest(request); |
| wolfSSL | 15:117db924cf7c | 833 | XFREE(request, NULL, DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 15:117db924cf7c | 834 | } |
| wolfSSL | 15:117db924cf7c | 835 | |
| wolfSSL | 15:117db924cf7c | 836 | int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request, unsigned char** data) |
| wolfSSL | 15:117db924cf7c | 837 | { |
| wolfSSL | 16:8e0d178b1d1e | 838 | int size; |
| wolfSSL | 15:117db924cf7c | 839 | |
| wolfSSL | 15:117db924cf7c | 840 | size = EncodeOcspRequest(request, NULL, 0); |
| wolfSSL | 15:117db924cf7c | 841 | if (size <= 0 || data == NULL) |
| wolfSSL | 15:117db924cf7c | 842 | return size; |
| wolfSSL | 15:117db924cf7c | 843 | |
| wolfSSL | 15:117db924cf7c | 844 | return EncodeOcspRequest(request, *data, size); |
| wolfSSL | 15:117db924cf7c | 845 | } |
| wolfSSL | 15:117db924cf7c | 846 | |
| wolfSSL | 15:117db924cf7c | 847 | WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req, |
| wolfSSL | 15:117db924cf7c | 848 | WOLFSSL_OCSP_CERTID *cid) |
| wolfSSL | 15:117db924cf7c | 849 | { |
| wolfSSL | 15:117db924cf7c | 850 | if (req == NULL || cid == NULL) |
| wolfSSL | 15:117db924cf7c | 851 | return NULL; |
| wolfSSL | 15:117db924cf7c | 852 | |
| wolfSSL | 15:117db924cf7c | 853 | FreeOcspRequest(req); |
| wolfSSL | 15:117db924cf7c | 854 | XMEMCPY(req, cid, sizeof(OcspRequest)); |
| wolfSSL | 15:117db924cf7c | 855 | |
| wolfSSL | 15:117db924cf7c | 856 | if (cid->serial != NULL) { |
| wolfSSL | 15:117db924cf7c | 857 | req->serial = (byte*)XMALLOC(cid->serialSz, NULL, |
| wolfSSL | 15:117db924cf7c | 858 | DYNAMIC_TYPE_OCSP_REQUEST); |
| wolfSSL | 15:117db924cf7c | 859 | req->url = (byte*)XMALLOC(cid->urlSz, NULL, DYNAMIC_TYPE_OCSP_REQUEST); |
| wolfSSL | 15:117db924cf7c | 860 | if (req->serial == NULL || req->url == NULL) { |
| wolfSSL | 15:117db924cf7c | 861 | FreeOcspRequest(req); |
| wolfSSL | 15:117db924cf7c | 862 | return NULL; |
| wolfSSL | 15:117db924cf7c | 863 | } |
| wolfSSL | 15:117db924cf7c | 864 | |
| wolfSSL | 15:117db924cf7c | 865 | XMEMCPY(req->serial, cid->serial, cid->serialSz); |
| wolfSSL | 15:117db924cf7c | 866 | XMEMCPY(req->url, cid->url, cid->urlSz); |
| wolfSSL | 15:117db924cf7c | 867 | } |
| wolfSSL | 15:117db924cf7c | 868 | |
| wolfSSL | 15:117db924cf7c | 869 | wolfSSL_OCSP_REQUEST_free(cid); |
| wolfSSL | 15:117db924cf7c | 870 | |
| wolfSSL | 15:117db924cf7c | 871 | return req; |
| wolfSSL | 15:117db924cf7c | 872 | } |
| wolfSSL | 15:117db924cf7c | 873 | |
| wolfSSL | 16:8e0d178b1d1e | 874 | WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_CERTID_dup(WOLFSSL_OCSP_CERTID* id) |
| wolfSSL | 16:8e0d178b1d1e | 875 | { |
| wolfSSL | 16:8e0d178b1d1e | 876 | WOLFSSL_OCSP_CERTID* certId; |
| wolfSSL | 16:8e0d178b1d1e | 877 | |
| wolfSSL | 16:8e0d178b1d1e | 878 | if (id == NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 879 | return NULL; |
| wolfSSL | 16:8e0d178b1d1e | 880 | } |
| wolfSSL | 16:8e0d178b1d1e | 881 | |
| wolfSSL | 16:8e0d178b1d1e | 882 | certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), |
| wolfSSL | 16:8e0d178b1d1e | 883 | id->heap, DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 16:8e0d178b1d1e | 884 | if (certId) { |
| wolfSSL | 16:8e0d178b1d1e | 885 | XMEMCPY(certId, id, sizeof(WOLFSSL_OCSP_CERTID)); |
| wolfSSL | 16:8e0d178b1d1e | 886 | } |
| wolfSSL | 16:8e0d178b1d1e | 887 | return certId; |
| wolfSSL | 16:8e0d178b1d1e | 888 | } |
| wolfSSL | 15:117db924cf7c | 889 | #endif |
| wolfSSL | 15:117db924cf7c | 890 | |
| wolfSSL | 16:8e0d178b1d1e | 891 | #if defined(OPENSSL_ALL) || defined(APACHE_HTTPD) |
| wolfSSL | 16:8e0d178b1d1e | 892 | int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out, |
| wolfSSL | 16:8e0d178b1d1e | 893 | WOLFSSL_OCSP_REQUEST *req) |
| wolfSSL | 16:8e0d178b1d1e | 894 | { |
| wolfSSL | 16:8e0d178b1d1e | 895 | int size = -1; |
| wolfSSL | 16:8e0d178b1d1e | 896 | unsigned char* data = NULL; |
| wolfSSL | 16:8e0d178b1d1e | 897 | |
| wolfSSL | 16:8e0d178b1d1e | 898 | WOLFSSL_ENTER("wolfSSL_i2d_OCSP_REQUEST_bio"); |
| wolfSSL | 16:8e0d178b1d1e | 899 | if (out == NULL || req == NULL) |
| wolfSSL | 16:8e0d178b1d1e | 900 | return WOLFSSL_FAILURE; |
| wolfSSL | 16:8e0d178b1d1e | 901 | |
| wolfSSL | 16:8e0d178b1d1e | 902 | size = wolfSSL_i2d_OCSP_REQUEST(req, NULL); |
| wolfSSL | 16:8e0d178b1d1e | 903 | if (size > 0) { |
| wolfSSL | 16:8e0d178b1d1e | 904 | data = (unsigned char*) XMALLOC(size, out->heap, |
| wolfSSL | 16:8e0d178b1d1e | 905 | DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 16:8e0d178b1d1e | 906 | } |
| wolfSSL | 16:8e0d178b1d1e | 907 | |
| wolfSSL | 16:8e0d178b1d1e | 908 | if (data != NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 909 | size = wolfSSL_i2d_OCSP_REQUEST(req, &data); |
| wolfSSL | 16:8e0d178b1d1e | 910 | } |
| wolfSSL | 16:8e0d178b1d1e | 911 | |
| wolfSSL | 16:8e0d178b1d1e | 912 | if (size <= 0) { |
| wolfSSL | 16:8e0d178b1d1e | 913 | XFREE(data, out->heap, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 16:8e0d178b1d1e | 914 | return WOLFSSL_FAILURE; |
| wolfSSL | 16:8e0d178b1d1e | 915 | } |
| wolfSSL | 16:8e0d178b1d1e | 916 | |
| wolfSSL | 16:8e0d178b1d1e | 917 | if (wolfSSL_BIO_write(out, data, size) == (int)size) { |
| wolfSSL | 16:8e0d178b1d1e | 918 | XFREE(data, out->heap, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 16:8e0d178b1d1e | 919 | return WOLFSSL_SUCCESS; |
| wolfSSL | 16:8e0d178b1d1e | 920 | } |
| wolfSSL | 16:8e0d178b1d1e | 921 | |
| wolfSSL | 16:8e0d178b1d1e | 922 | XFREE(data, out->heap, DYNAMIC_TYPE_TMP_BUFFER); |
| wolfSSL | 16:8e0d178b1d1e | 923 | return WOLFSSL_FAILURE; |
| wolfSSL | 16:8e0d178b1d1e | 924 | } |
| wolfSSL | 16:8e0d178b1d1e | 925 | #endif /* OPENSSL_ALL || APACHE_HTTPD */ |
| wolfSSL | 16:8e0d178b1d1e | 926 | |
| wolfSSL | 16:8e0d178b1d1e | 927 | #ifdef OPENSSL_EXTRA |
| wolfSSL | 16:8e0d178b1d1e | 928 | #ifndef NO_WOLFSSL_STUB |
| wolfSSL | 16:8e0d178b1d1e | 929 | int wolfSSL_OCSP_REQUEST_add_ext(OcspRequest* req, WOLFSSL_X509_EXTENSION* ext, |
| wolfSSL | 16:8e0d178b1d1e | 930 | int idx) |
| wolfSSL | 16:8e0d178b1d1e | 931 | { |
| wolfSSL | 16:8e0d178b1d1e | 932 | WOLFSSL_STUB("wolfSSL_OCSP_REQUEST_add_ext"); |
| wolfSSL | 16:8e0d178b1d1e | 933 | (void)req; |
| wolfSSL | 16:8e0d178b1d1e | 934 | (void)ext; |
| wolfSSL | 16:8e0d178b1d1e | 935 | (void)idx; |
| wolfSSL | 16:8e0d178b1d1e | 936 | return WOLFSSL_FATAL_ERROR; |
| wolfSSL | 16:8e0d178b1d1e | 937 | } |
| wolfSSL | 16:8e0d178b1d1e | 938 | #endif |
| wolfSSL | 16:8e0d178b1d1e | 939 | |
| wolfSSL | 16:8e0d178b1d1e | 940 | #ifndef NO_WOLFSSL_STUB |
| wolfSSL | 16:8e0d178b1d1e | 941 | OcspResponse* wolfSSL_OCSP_response_create(int status, |
| wolfSSL | 16:8e0d178b1d1e | 942 | WOLFSSL_OCSP_BASICRESP* bs) |
| wolfSSL | 16:8e0d178b1d1e | 943 | { |
| wolfSSL | 16:8e0d178b1d1e | 944 | WOLFSSL_STUB("wolfSSL_OCSP_response_create"); |
| wolfSSL | 16:8e0d178b1d1e | 945 | (void)status; |
| wolfSSL | 16:8e0d178b1d1e | 946 | (void)bs; |
| wolfSSL | 16:8e0d178b1d1e | 947 | return NULL; |
| wolfSSL | 16:8e0d178b1d1e | 948 | } |
| wolfSSL | 16:8e0d178b1d1e | 949 | #endif |
| wolfSSL | 16:8e0d178b1d1e | 950 | |
| wolfSSL | 16:8e0d178b1d1e | 951 | #ifndef NO_WOLFSSL_STUB |
| wolfSSL | 16:8e0d178b1d1e | 952 | const char* wolfSSL_OCSP_crl_reason_str(long s) |
| wolfSSL | 16:8e0d178b1d1e | 953 | { |
| wolfSSL | 16:8e0d178b1d1e | 954 | WOLFSSL_STUB("wolfSSL_OCSP_crl_reason_str"); |
| wolfSSL | 16:8e0d178b1d1e | 955 | (void)s; |
| wolfSSL | 16:8e0d178b1d1e | 956 | return NULL; |
| wolfSSL | 16:8e0d178b1d1e | 957 | } |
| wolfSSL | 16:8e0d178b1d1e | 958 | #endif |
| wolfSSL | 16:8e0d178b1d1e | 959 | |
| wolfSSL | 16:8e0d178b1d1e | 960 | /* Returns elements of an OCSP_CERTID struct. Currently only supports |
| wolfSSL | 16:8e0d178b1d1e | 961 | * returning the serial number, and returns an error if user requests |
| wolfSSL | 16:8e0d178b1d1e | 962 | * any of name, pmd, and/or keyHash. |
| wolfSSL | 16:8e0d178b1d1e | 963 | * Return 1 on success, 0 on failure */ |
| wolfSSL | 16:8e0d178b1d1e | 964 | int wolfSSL_OCSP_id_get0_info(WOLFSSL_ASN1_STRING **name, |
| wolfSSL | 16:8e0d178b1d1e | 965 | WOLFSSL_ASN1_OBJECT **pmd, WOLFSSL_ASN1_STRING **keyHash, |
| wolfSSL | 16:8e0d178b1d1e | 966 | WOLFSSL_ASN1_INTEGER **serial, WOLFSSL_OCSP_CERTID *cid) |
| wolfSSL | 16:8e0d178b1d1e | 967 | { |
| wolfSSL | 16:8e0d178b1d1e | 968 | int i = 0; |
| wolfSSL | 16:8e0d178b1d1e | 969 | WOLFSSL_ASN1_INTEGER* ser; |
| wolfSSL | 16:8e0d178b1d1e | 970 | |
| wolfSSL | 16:8e0d178b1d1e | 971 | WOLFSSL_ENTER("wolfSSL_OCSP_id_get0_info"); |
| wolfSSL | 16:8e0d178b1d1e | 972 | |
| wolfSSL | 16:8e0d178b1d1e | 973 | if (cid == NULL) |
| wolfSSL | 16:8e0d178b1d1e | 974 | return 0; |
| wolfSSL | 16:8e0d178b1d1e | 975 | |
| wolfSSL | 16:8e0d178b1d1e | 976 | /* build up ASN1_INTEGER for serial */ |
| wolfSSL | 16:8e0d178b1d1e | 977 | if (serial != NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 978 | ser = wolfSSL_ASN1_INTEGER_new(); |
| wolfSSL | 16:8e0d178b1d1e | 979 | if (ser == NULL) |
| wolfSSL | 16:8e0d178b1d1e | 980 | return 0; |
| wolfSSL | 16:8e0d178b1d1e | 981 | |
| wolfSSL | 16:8e0d178b1d1e | 982 | if (cid->serialSz > (WOLFSSL_ASN1_INTEGER_MAX - 2)) { |
| wolfSSL | 16:8e0d178b1d1e | 983 | /* allocate data buffer, +2 for type and length */ |
| wolfSSL | 16:8e0d178b1d1e | 984 | ser->data = (unsigned char*)XMALLOC(cid->serialSz + 2, NULL, |
| wolfSSL | 16:8e0d178b1d1e | 985 | DYNAMIC_TYPE_OPENSSL); |
| wolfSSL | 16:8e0d178b1d1e | 986 | if (ser->data == NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 987 | wolfSSL_ASN1_INTEGER_free(ser); |
| wolfSSL | 16:8e0d178b1d1e | 988 | return 0; |
| wolfSSL | 16:8e0d178b1d1e | 989 | } |
| wolfSSL | 16:8e0d178b1d1e | 990 | ser->dataMax = cid->serialSz + 2; |
| wolfSSL | 16:8e0d178b1d1e | 991 | ser->isDynamic = 1; |
| wolfSSL | 16:8e0d178b1d1e | 992 | } else { |
| wolfSSL | 16:8e0d178b1d1e | 993 | /* Use array instead of dynamic memory */ |
| wolfSSL | 16:8e0d178b1d1e | 994 | ser->data = ser->intData; |
| wolfSSL | 16:8e0d178b1d1e | 995 | ser->dataMax = WOLFSSL_ASN1_INTEGER_MAX; |
| wolfSSL | 16:8e0d178b1d1e | 996 | } |
| wolfSSL | 16:8e0d178b1d1e | 997 | |
| wolfSSL | 16:8e0d178b1d1e | 998 | #ifdef WOLFSSL_QT |
| wolfSSL | 16:8e0d178b1d1e | 999 | /* Serial number starts at 0 index of ser->data */ |
| wolfSSL | 16:8e0d178b1d1e | 1000 | XMEMCPY(&ser->data[i], cid->serial, cid->serialSz); |
| wolfSSL | 16:8e0d178b1d1e | 1001 | ser->length = cid->serialSz; |
| wolfSSL | 16:8e0d178b1d1e | 1002 | #else |
| wolfSSL | 16:8e0d178b1d1e | 1003 | ser->data[i++] = ASN_INTEGER; |
| wolfSSL | 16:8e0d178b1d1e | 1004 | i += SetLength(cid->serialSz, ser->data + i); |
| wolfSSL | 16:8e0d178b1d1e | 1005 | XMEMCPY(&ser->data[i], cid->serial, cid->serialSz); |
| wolfSSL | 16:8e0d178b1d1e | 1006 | #endif |
| wolfSSL | 16:8e0d178b1d1e | 1007 | |
| wolfSSL | 16:8e0d178b1d1e | 1008 | cid->serialInt = ser; |
| wolfSSL | 16:8e0d178b1d1e | 1009 | *serial = cid->serialInt; |
| wolfSSL | 16:8e0d178b1d1e | 1010 | } |
| wolfSSL | 16:8e0d178b1d1e | 1011 | |
| wolfSSL | 16:8e0d178b1d1e | 1012 | /* Not needed for Apache, return error if user is requesting */ |
| wolfSSL | 16:8e0d178b1d1e | 1013 | if (name != NULL || pmd != NULL || keyHash != NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 1014 | if (name != NULL) |
| wolfSSL | 16:8e0d178b1d1e | 1015 | *name = NULL; |
| wolfSSL | 16:8e0d178b1d1e | 1016 | |
| wolfSSL | 16:8e0d178b1d1e | 1017 | if (pmd != NULL) |
| wolfSSL | 16:8e0d178b1d1e | 1018 | *pmd = NULL; |
| wolfSSL | 16:8e0d178b1d1e | 1019 | |
| wolfSSL | 16:8e0d178b1d1e | 1020 | if (keyHash != NULL) |
| wolfSSL | 16:8e0d178b1d1e | 1021 | *keyHash = NULL; |
| wolfSSL | 16:8e0d178b1d1e | 1022 | return 0; |
| wolfSSL | 16:8e0d178b1d1e | 1023 | } |
| wolfSSL | 16:8e0d178b1d1e | 1024 | |
| wolfSSL | 16:8e0d178b1d1e | 1025 | return 1; |
| wolfSSL | 16:8e0d178b1d1e | 1026 | } |
| wolfSSL | 16:8e0d178b1d1e | 1027 | |
| wolfSSL | 16:8e0d178b1d1e | 1028 | #ifndef NO_WOLFSSL_STUB |
| wolfSSL | 16:8e0d178b1d1e | 1029 | int wolfSSL_OCSP_request_add1_nonce(OcspRequest* req, unsigned char* val, |
| wolfSSL | 16:8e0d178b1d1e | 1030 | int sz) |
| wolfSSL | 16:8e0d178b1d1e | 1031 | { |
| wolfSSL | 16:8e0d178b1d1e | 1032 | WOLFSSL_STUB("wolfSSL_OCSP_request_add1_nonce"); |
| wolfSSL | 16:8e0d178b1d1e | 1033 | (void)req; |
| wolfSSL | 16:8e0d178b1d1e | 1034 | (void)val; |
| wolfSSL | 16:8e0d178b1d1e | 1035 | (void)sz; |
| wolfSSL | 16:8e0d178b1d1e | 1036 | return WOLFSSL_FATAL_ERROR; |
| wolfSSL | 16:8e0d178b1d1e | 1037 | } |
| wolfSSL | 16:8e0d178b1d1e | 1038 | #endif |
| wolfSSL | 16:8e0d178b1d1e | 1039 | |
| wolfSSL | 16:8e0d178b1d1e | 1040 | /* Returns result of OCSP nonce comparison. Return values: |
| wolfSSL | 16:8e0d178b1d1e | 1041 | * 1 - nonces are both present and equal |
| wolfSSL | 16:8e0d178b1d1e | 1042 | * 2 - both nonces are absent |
| wolfSSL | 16:8e0d178b1d1e | 1043 | * 3 - nonce only present in response |
| wolfSSL | 16:8e0d178b1d1e | 1044 | * -1 - nonce only present in request |
| wolfSSL | 16:8e0d178b1d1e | 1045 | * 0 - both nonces present and equal |
| wolfSSL | 16:8e0d178b1d1e | 1046 | */ |
| wolfSSL | 16:8e0d178b1d1e | 1047 | int wolfSSL_OCSP_check_nonce(OcspRequest* req, WOLFSSL_OCSP_BASICRESP* bs) |
| wolfSSL | 16:8e0d178b1d1e | 1048 | { |
| wolfSSL | 16:8e0d178b1d1e | 1049 | byte* reqNonce = NULL; |
| wolfSSL | 16:8e0d178b1d1e | 1050 | byte* rspNonce = NULL; |
| wolfSSL | 16:8e0d178b1d1e | 1051 | int reqNonceSz = 0; |
| wolfSSL | 16:8e0d178b1d1e | 1052 | int rspNonceSz = 0; |
| wolfSSL | 16:8e0d178b1d1e | 1053 | |
| wolfSSL | 16:8e0d178b1d1e | 1054 | WOLFSSL_ENTER("wolfSSL_OCSP_check_nonce"); |
| wolfSSL | 16:8e0d178b1d1e | 1055 | |
| wolfSSL | 16:8e0d178b1d1e | 1056 | if (req != NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 1057 | reqNonce = req->nonce; |
| wolfSSL | 16:8e0d178b1d1e | 1058 | reqNonceSz = req->nonceSz; |
| wolfSSL | 16:8e0d178b1d1e | 1059 | } |
| wolfSSL | 16:8e0d178b1d1e | 1060 | |
| wolfSSL | 16:8e0d178b1d1e | 1061 | if (bs != NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 1062 | rspNonce = bs->nonce; |
| wolfSSL | 16:8e0d178b1d1e | 1063 | rspNonceSz = bs->nonceSz; |
| wolfSSL | 16:8e0d178b1d1e | 1064 | } |
| wolfSSL | 16:8e0d178b1d1e | 1065 | |
| wolfSSL | 16:8e0d178b1d1e | 1066 | /* nonce absent in both req and rsp */ |
| wolfSSL | 16:8e0d178b1d1e | 1067 | if (reqNonce == NULL && rspNonce == NULL) |
| wolfSSL | 16:8e0d178b1d1e | 1068 | return 2; |
| wolfSSL | 16:8e0d178b1d1e | 1069 | |
| wolfSSL | 16:8e0d178b1d1e | 1070 | /* nonce present in rsp only */ |
| wolfSSL | 16:8e0d178b1d1e | 1071 | if (reqNonce == NULL && rspNonce != NULL) |
| wolfSSL | 16:8e0d178b1d1e | 1072 | return 3; |
| wolfSSL | 16:8e0d178b1d1e | 1073 | |
| wolfSSL | 16:8e0d178b1d1e | 1074 | /* nonce present in req only */ |
| wolfSSL | 16:8e0d178b1d1e | 1075 | if (reqNonce != NULL && rspNonce == NULL) |
| wolfSSL | 16:8e0d178b1d1e | 1076 | return -1; |
| wolfSSL | 16:8e0d178b1d1e | 1077 | |
| wolfSSL | 16:8e0d178b1d1e | 1078 | /* nonces are present and equal, return 1. Extra NULL check for fixing |
| wolfSSL | 16:8e0d178b1d1e | 1079 | scan-build warning. */ |
| wolfSSL | 16:8e0d178b1d1e | 1080 | if (reqNonceSz == rspNonceSz && reqNonce && rspNonce) { |
| wolfSSL | 16:8e0d178b1d1e | 1081 | if (XMEMCMP(reqNonce, rspNonce, reqNonceSz) == 0) |
| wolfSSL | 16:8e0d178b1d1e | 1082 | return 1; |
| wolfSSL | 16:8e0d178b1d1e | 1083 | } |
| wolfSSL | 16:8e0d178b1d1e | 1084 | |
| wolfSSL | 16:8e0d178b1d1e | 1085 | /* nonces are present but not equal */ |
| wolfSSL | 16:8e0d178b1d1e | 1086 | return 0; |
| wolfSSL | 16:8e0d178b1d1e | 1087 | } |
| wolfSSL | 16:8e0d178b1d1e | 1088 | #endif /* OPENSSL_EXTRA */ |
| wolfSSL | 16:8e0d178b1d1e | 1089 | |
| wolfSSL | 15:117db924cf7c | 1090 | #else /* HAVE_OCSP */ |
| wolfSSL | 15:117db924cf7c | 1091 | |
| wolfSSL | 15:117db924cf7c | 1092 | |
| wolfSSL | 15:117db924cf7c | 1093 | #ifdef _MSC_VER |
| wolfSSL | 15:117db924cf7c | 1094 | /* 4206 warning for blank file */ |
| wolfSSL | 15:117db924cf7c | 1095 | #pragma warning(disable: 4206) |
| wolfSSL | 15:117db924cf7c | 1096 | #endif |
| wolfSSL | 15:117db924cf7c | 1097 | |
| wolfSSL | 15:117db924cf7c | 1098 | |
| wolfSSL | 15:117db924cf7c | 1099 | #endif /* HAVE_OCSP */ |
| wolfSSL | 15:117db924cf7c | 1100 | #endif /* WOLFCRYPT_ONLY */ |
| wolfSSL | 15:117db924cf7c | 1101 |